File openssl-1.0.2h-trusted-first-doc.patch of Package mingw64-openssl

Overview Repositories Revisions Requests Users Attributes Meta

File openssl-1.0.2h-trusted-first-doc.patch of Package mingw64-openssl

diff --git a/apps/cms.c b/apps/cms.c
index 6047937..f30ee8d 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -646,6 +646,8 @@ int MAIN(int argc, char **argv)
                    "-CApath dir    trusted certificates directory\n");
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
         BIO_printf(bio_err,
+                   "-trusted_first use trusted certificates first when building the trust chain\n");
+        BIO_printf(bio_err,
                    "-no_alt_chains only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
diff --git a/apps/ocsp.c b/apps/ocsp.c
index 5da51df..178b8a1 100644
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -537,6 +537,8 @@ int MAIN(int argc, char **argv)
         BIO_printf(bio_err,
                    "-CAfile file         trusted certificates file\n");
         BIO_printf(bio_err,
+                   "-trusted_first       use trusted certificates first when building the trust chain\n");
+        BIO_printf(bio_err,
                    "-no_alt_chains       only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-VAfile file         validator certificates file\n");
diff --git a/apps/s_client.c b/apps/s_client.c
index 0c1102b..43e5a8a 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -332,6 +332,8 @@ static void sc_usage(void)
     BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
     BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
     BIO_printf(bio_err,
+               " -trusted_first - Use trusted CA's first when building the trust chain\n");
+    BIO_printf(bio_err,
                " -no_alt_chains - only ever use the first certificate chain found\n");
     BIO_printf(bio_err,
                " -reconnect    - Drop and re-make the connection with the same Session-ID\n");
diff --git a/apps/s_server.c b/apps/s_server.c
index 09c755b..e9e44ba 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -578,6 +578,8 @@ static void sv_usage(void)
     BIO_printf(bio_err, " -CApath arg   - PEM format directory of CA's\n");
     BIO_printf(bio_err, " -CAfile arg   - PEM format file of CA's\n");
     BIO_printf(bio_err,
+               " -trusted_first - Use trusted CA's first when building the trust chain\n");
+    BIO_printf(bio_err,
                " -no_alt_chains - only ever use the first certificate chain found\n");
     BIO_printf(bio_err,
                " -nocert       - Don't use any certificates (Anon-DH)\n");
diff --git a/apps/s_time.c b/apps/s_time.c
index 38788f7..afe9d33 100644
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -182,6 +182,7 @@ static void s_time_usage(void)
                 file if not specified by this option\n\
 -CApath arg   - PEM format directory of CA's\n\
 -CAfile arg   - PEM format file of CA's\n\
+-trusted_first - Use trusted CA's first when building the trust chain\n\
 -cipher       - preferred cipher to use, play with 'openssl ciphers'\n\n";
 
     printf("usage: s_time <args>\n\n");
diff --git a/apps/smime.c b/apps/smime.c
index 6044ccf..a310e8f 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -442,6 +442,8 @@ int MAIN(int argc, char **argv)
                    "-CApath dir    trusted certificates directory\n");
         BIO_printf(bio_err, "-CAfile file   trusted certificates file\n");
         BIO_printf(bio_err,
+                   "-trusted_first use trusted certificates first when building the trust chain\n");
+        BIO_printf(bio_err,
                    "-no_alt_chains only ever use the first certificate chain found\n");
         BIO_printf(bio_err,
                    "-crl_check     check revocation status of signer's certificate using CRLs\n");
diff --git a/apps/ts.c b/apps/ts.c
index 341a42b..002ed9c 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -352,7 +352,7 @@ int MAIN(int argc, char **argv)
                "ts -verify [-data file_to_hash] [-digest digest_bytes] "
                "[-queryfile request.tsq] "
                "-in response.tsr [-token_in] "
-               "-CApath ca_path -CAfile ca_file.pem "
+               "-CApath ca_path -CAfile ca_file.pem -trusted_first"
                "-untrusted cert_file.pem\n");
  cleanup:
     /* Clean up. */
diff --git a/apps/verify.c b/apps/verify.c
index 78e729f..0acff90 100644
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -231,7 +231,7 @@ int MAIN(int argc, char **argv)
  end:
     if (ret == 1) {
         BIO_printf(bio_err,
-                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-crl_check]");
+                   "usage: verify [-verbose] [-CApath path] [-CAfile file] [-trusted_first] [-purpose purpose] [-crl_check]");
         BIO_printf(bio_err, " [-no_alt_chains] [-attime timestamp]");
 #ifndef OPENSSL_NO_ENGINE
         BIO_printf(bio_err, " [-engine e]");
diff --git a/doc/apps/cms.pod b/doc/apps/cms.pod
index 4eaedbc..8074253 100644
--- a/doc/apps/cms.pod
+++ b/doc/apps/cms.pod
@@ -35,6 +35,7 @@ B<openssl> B<cms>
 [B<-print>]
 [B<-CAfile file>]
 [B<-CApath dir>]
+[B<-trusted_first>]
 [B<-no_alt_chains>]
 [B<-md digest>]
 [B<-[cipher]>]
@@ -245,6 +246,12 @@ B<-verify>. This directory must be a standard certificate directory: that
 is a hash of each subject name (using B<x509 -hash>) should be linked
 to each certificate.
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory before untrusted certificates
+from the message when building the trust chain to verify certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-md digest>
 
 digest algorithm to use when signing or resigning. If not present then the
diff --git a/doc/apps/ocsp.pod b/doc/apps/ocsp.pod
index 9833f08..48a78f1 100644
--- a/doc/apps/ocsp.pod
+++ b/doc/apps/ocsp.pod
@@ -29,6 +29,7 @@ B<openssl> B<ocsp>
 [B<-path>]
 [B<-CApath dir>]
 [B<-CAfile file>]
+[B<-trusted_first>]
 [B<-no_alt_chains>]
 [B<-VAfile file>]
 [B<-validity_period n>]
@@ -144,6 +145,13 @@ connection timeout to the OCSP responder in seconds
 file or pathname containing trusted CA certificates. These are used to verify
 the signature on the OCSP response.
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory over certificates provided
+in the response or residing in other certificates file when building the trust
+chain to verify responder certificate.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-no_alt_chains>
 
 See L<B<verify>|verify(1)> manual page for details.
diff --git a/doc/apps/s_client.pod b/doc/apps/s_client.pod
index 618df96..a5d8982 100644
--- a/doc/apps/s_client.pod
+++ b/doc/apps/s_client.pod
@@ -19,6 +19,7 @@ B<openssl> B<s_client>
 [B<-pass arg>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-trusted_first>]
 [B<-no_alt_chains>]
 [B<-reconnect>]
 [B<-pause>]
@@ -121,7 +122,7 @@ also used when building the client certificate chain.
 A file containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
 
-=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig -no_alt_chains>
+=item B<-purpose, -ignore_critical, -issuer_checks, -crl_check, -crl_check_all, -policy_check, -extended_crl, -x509_strict, -policy -check_ss_sig, -trusted_first -no_alt_chains>
 
 Set various certificate chain valiadition option. See the
 L<B<verify>|verify(1)> manual page for details.
diff --git a/doc/apps/s_server.pod b/doc/apps/s_server.pod
index 6f4acb7..c2e2859 100644
--- a/doc/apps/s_server.pod
+++ b/doc/apps/s_server.pod
@@ -33,6 +33,7 @@ B<openssl> B<s_server>
 [B<-state>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-trusted_first>]
 [B<-no_alt_chains>]
 [B<-nocert>]
 [B<-cipher cipherlist>]
@@ -175,6 +176,12 @@ and to use when attempting to build the server certificate chain. The list
 is also used in the list of acceptable client CAs passed to the client when
 a certificate is requested.
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory before other certificates 
+when building the trust chain to verify client certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-no_alt_chains>
 
 See the L<B<verify>|verify(1)> manual page for details.
diff --git a/doc/apps/s_time.pod b/doc/apps/s_time.pod
index 9082d87..7c0315a 100644
--- a/doc/apps/s_time.pod
+++ b/doc/apps/s_time.pod
@@ -14,6 +14,7 @@ B<openssl> B<s_time>
 [B<-key filename>]
 [B<-CApath directory>]
 [B<-CAfile filename>]
+[B<-trusted_first>]
 [B<-reuse>]
 [B<-new>]
 [B<-verify depth>]
@@ -76,6 +77,12 @@ also used when building the client certificate chain.
 A file containing trusted certificates to use during server authentication
 and to use when attempting to build the client certificate chain.
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory over the certificates provided
+by the server when building the trust chain to verify server certificate.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-new>
 
 performs the timing test using a new session ID for each connection.
diff --git a/doc/apps/smime.pod b/doc/apps/smime.pod
index d5618c8..b05139b 100644
--- a/doc/apps/smime.pod
+++ b/doc/apps/smime.pod
@@ -15,6 +15,9 @@ B<openssl> B<smime>
 [B<-pk7out>]
 [B<-[cipher]>]
 [B<-in file>]
+[B<-CAfile file>]
+[B<-CApath dir>]
+[B<-trusted_first>]
 [B<-no_alt_chains>]
 [B<-certfile file>]
 [B<-signer file>]
@@ -147,6 +150,12 @@ B<-verify>. This directory must be a standard certificate directory: that
 is a hash of each subject name (using B<x509 -hash>) should be linked
 to each certificate.
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory over certificates provided
+in the message when building the trust chain to verify a certificate.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-md digest>
 
 digest algorithm to use when signing or resigning. If not present then the
diff --git a/doc/apps/ts.pod b/doc/apps/ts.pod
index d6aa47d..c512346 100644
--- a/doc/apps/ts.pod
+++ b/doc/apps/ts.pod
@@ -46,6 +46,7 @@ B<-verify>
 [B<-token_in>]
 [B<-CApath> trusted_cert_path]
 [B<-CAfile> trusted_certs.pem]
+[B<-trusted_first>]
 [B<-untrusted> cert_file.pem]
 
 =head1 DESCRIPTION
@@ -324,6 +325,12 @@ L<verify(1)|verify(1)> for additional details. Either this option
 or B<-CApath> must be specified.
 (Optional)
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory before other certificates
+when building the trust chain to verify certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-untrusted> cert_file.pem
 
 Set of additional untrusted certificates in PEM format which may be
diff --git a/doc/apps/verify.pod b/doc/apps/verify.pod
index bffa6c0..145be60 100644
--- a/doc/apps/verify.pod
+++ b/doc/apps/verify.pod
@@ -9,6 +9,7 @@ verify - Utility to verify certificates.
 B<openssl> B<verify>
 [B<-CApath directory>]
 [B<-CAfile file>]
+[B<-trusted_first>]
 [B<-purpose purpose>]
 [B<-policy arg>]
 [B<-ignore_critical>]
@@ -85,6 +86,12 @@ If a valid CRL cannot be found an error occurs.
 A file of untrusted certificates. The file should contain multiple certificates
 in PEM format concatenated together.
 
+=item B<-trusted_first>
+
+Use certificates in CA file or CA directory before the certificates in the untrusted
+file when building the trust chain to verify certificates.
+This is mainly useful in environments with Bridge CA or Cross-Certified CAs.
+
 =item B<-purpose purpose>
 
 The intended use for the certificate. If this option is not specified,

Places

File openssl-1.0.2h-trusted-first-doc.patch of Package mingw64-openssl

Places